Security mindset must change with cloud

SINGAPORE--Companies need to move away from the mentality of having complete control over their IT infrastructure and securing different IT stacks in a piecemeal manner when they make the move toward cloud computing, industry executives urge.

Jim Reavis, co-founder and executive director of Cloud Security Alliance (CSA), said traditional IT security practices have always been black and white in that tech departments know they have complete control over the company's hardware and infrastructure.

In knowing this, they can develop their own security regime or outsource it to a third-party provider completely, Reavis added during the CloudSec 2012 conference held here on Wednesday.

With cloud computing though, IT security has become more "grey" as traditional practices no longer apply. Companies and their IT teams will not know which part of the infrastructure they have control over and will have to work with service providers to ensure their systems are safe, he noted.

For companies that persists in the old mode of provisioning security for cloud-based IT systems, they will discover that such practices would hinder the scalability, agility, and lowered costs that cloud computing promises to deliver, noted Dave Asprey, global vice president of cloud security at Trend Micro.

The executive, who was also present at the CloudSec conference Wednesday, added IT departments are not being aggressive enough in adopting new technologies, particularly during the migration to cloud. For instance, when moving from physical to virtualized servers, companies will have to navigate through different components of an integrated IT environment such as public cloud services and desktop virtualization. In doing so, they end up deploying a glut of security products to protect the individual deployments.

Such actions, Asprey noted, negate the benefits of moving to cloud as they lower security, increase total cost of ownership, and make their IT systems more complex to manage.

Organizations should opt for a single management console or craft an integrated security model instead, he suggested. This model must enhance security across all systems at the same time, provide visibility to each component of the infrastructure, and have automated patching for the virtualized servers, he said.

Timothy Grance, senior computer scientist at National Institute of Standards and Technology (NIST), added during the conference that, above all, business factors must be considered alongside security. These include evaluating and understanding service level agreements (SLAs), he said.

Companies should also not be paralyzed by potential legal, security, and technical issues during the migration process in order to fully realize the potential of cloud computing, Grance urged.